PPTP VPN, need to limit user internal access

cmonks · ‎12-21-2006

I have windows pptp vpn access setup on an 1841 router. i need to be able to restrict access to internal hosts for VPN users. i have tried 'username access-class', but it does not seem to be working, unless i am just formatting my access list wrong or something.

!

username vpntest access-class 150 password test

access-list 150 permit ip 192.168.85.0 0.0.0.255 host 10.1.16.67

access-list 150 deny ip any any

VPDN pool is 192.168.85.0/24, main internal network is 192.168.80.0/24, with several others also (10.1.16.0/24).

in the example above, i want the VPN user to only be able to access that perticular host. however when i login, i can ping any host.

amenyo101112 · ‎12-21-2006

Hi,

I also am trying to setup windows pptp vpn access on a cisco 1841 router with IOS version 12.4 Could you please help me with the configs you used as i am getting an error 619 message whenever i try connecting. I have a context based access list firewall configured on the Internet Interface.This is inspecting cuseeme,ftp realaudio,tftp,udp,icmp and esmtp out. I have an extended access list configured on the lan interface permiting protocol gre and tcp port 1723 but still gives me the same error. I can however connect when i am connected on the local lan. This informs me it is an issue with the firewall configs.Any help please asap.

Thanks

cmonks · ‎12-21-2006

you say you have an access list on the LAN interface permitting GRE and 1723, do you also have one on the WAN interface, or was that a typo?

here is what i have used to learn how to setup pptp:

http://www.parkansky.com/tutorials/pptp.htm

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml

i also change the setup of the windows VPN client. set to 'type of vpn: pptp' and under 'security', select custom, then check MS-CHAP and MS-CHAPv2.

post your configs and i may be able to help more.

amenyo101112 · ‎12-22-2006

Thanks cmonks, i tried all the configs but still getting the same error 619 message when establishing from the internet. These are the configs

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname VPN Router

boot-start-marker

boot-end-marker

enable secret 5 $1$3GyN$7uNpSCfTKaEjFSktuzSba.

aaa new-model

aaa authentication login userauthen local

aaa authentication ppp default local-case

aaa authorization network default local

aaa authorization network groupauthor local

aaa session-id common

resource policy

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

ip inspect name myfw cuseeme

ip inspect name myfw ftp

ip inspect name myfw http

ip inspect name myfw rcmd

ip inspect name myfw realaudio

ip inspect name myfw tftp

ip inspect name myfw udp

ip inspect name myfw tcp

ip inspect name myfw icmp

ip inspect name myfw esmtp

ip ips notify SDEE

vpdn enable

no vpdn aaa untagged default

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

username xxxx password 7 113B1C084444520D07292E373B

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group CISCOVPNclient

key cisco

pool clients

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

no ip address

duplex auto

speed auto

interface FastEthernet0

description WAN interface

encapsulation dot1Q 230

ip address 192.168.10.4 255.255.255.240

ip access-group incontrol in

ip nat outside

ip inspect myfw out

ip virtual-reassembly

no snmp trap link-status

crypto map clientmap

interface FastEthernet0/1

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ntp broadcast

interface Virtual-Template1

ip unnumbered FastEthernet0

peer default ip address pool MSVPN

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

ip local pool CISCOVPNclient 192.168.100.1 192.168.100.5

ip local pool MSVPN 172.16.1.240 172.16.1.249

ip classless

ip http server

no ip http secure-server

ip nat inside source route-map ISgtw interface FastEthernet0 overload

ip route 0.0.0.0 0.0.0.0 192.168.10.20

ip access-list extended mylan

permit tcp 172.16.1.0 0.0.0.255 any eq www

permit tcp 172.16.1.0 0.0.0.255 any eq 443

permit tcp 172.16.1.0 0.0.0.255 any eq ftp

permit icmp 172.16.1.0 0.0.0.255 any echo

permit tcp host 172.16.1.2 any eq smtp

permit tcp host 172.16.1.2 any eq pop3

permit tcp 172.16.1.0 0.0.0.255 any eq 1723

permit tcp 172.16.1.0 0.0.0.255 any eq smtp

permit tcp 172.16.1.0 0.0.0.255 any eq pop3

permit gre 172.16.1.0 0.0.0.255 any

ip access-list extended incontrol

permit tcp any host 192.168.10.4 eq smtp

permit tcp any host 192.168.10.4 eq 443

permit esp any host 192.168.10.4

permit udp any eq isakmp host 192.168.10.4

permit tcp any host 192.168.10.4 eq 1723

permit gre any host 192.168.10.4

permit udp any host 192.168.10.4 eq isakmp

permit udp any host 192.168.10.4 eq non500-isakmp

permit udp any host 192.168.10.4 eq 1000

permit tcp any host 192.168.10.4 eq 51

permit tcp any host 192.168.10.4 eq 1000

permit udp any host 192.168.10.4 eq 62515

deny ip any any

route-map ISgtw permit 50

match ip address mylan

control-plane

line con 0

line aux 0

line vty 0 4

password 7 104D000A0618

i also have cisco vpn client configured which works fine but i am only able to recieve mails and cannot send mails in outlook when connected.

falain · ‎01-23-2007

hi,

You should have ip inspect myfw pptp in order to allow pptp return traffic.

You must also permit gre and pptp on your inside Acl

hopes it helps